Cpre 532

1
Cpre 532

• Lecture 23

2
Outline

• Break in lab questions
• Network Attacks and IDS

3
Session Hijacking

• Looking to hijack after user has authenticated
• Must have traffic between user and server pass
  through our machine
• Arp spoofing
• Poorly configured machines
• TCP basics
• Ack
• Sequence
• By sniffing packet one can determine the next
  number

4
Hijacking explained
Ax sy
Aylength sx
Attacker

• May not have to worry about Ethernet packet
• Must set Destination hardware address to correct
  machine
• Source hardware address probably wont make a
  difference except with some switches

5
Hijacking

• Interject data into the stream
• User that has been hijacked will notice that the
  server is not responding to the commands
• Can send reset to user to shut down connection
• With websites, attacker can send a redirect to
  every web request to the server

6
Tools

• Juggernaut
• Spy on sessions
• Take over sessions
• Two types of hijacking
• Send a single command
• Take over entire session
• Hunt
• Finds active connections and allows user to pick
  which connection to take over
• Has arp spoofing built in
• Possible to hijack and resynchronize both sides

7
Countermeasures

• Encrypt traffic
• Use ssh
• DOS is still possible even when encryption is
  used
• Switches offer little protection to motivated
  attacker
• Dsniff
• Hard to completely stop

8
Backdoor

• Common way is to create user accounts on machine
  to allow an attacker to get back on the system
• Find a user account that is unused and then
  change the password if the attacker is worried
  about adding another user
• To add users, in UNIX you must have root access
  so usually attacker will elevate privileges
• Windows to add user
• Net user name pw /add
• Can use LDAP to add a user

9
Startup Files

• Files can be run automatically on startup time
• Windows
• Registry keys
• Run once
• Run
• Win.ini
• Device drivers
• Countermeasures
• Hashes of file system
• Unix
• Rc files and directories
• Countermeasures
• Hashes of file system, tripwire
• Task scheduler
• Windows has an at command
• Unix has cron system

10
Remote Control

• Netcat
• Swiss army knife for networking
• Can execute commands locally on a user specified
  port
• Both UNIX and Window versions
• Back Orifice (Windows)
• Net bus (Windows)
• Personal firewall works well against these
  programs
• Port Redirection
• Complicated to get setup
• Create tunnel through the firewall
• Must have already compromised a system

11
Redirection Example
Firewall
Internal
External
redirector
redirector
Port 80

• Most firewalls block port 139, use redirect to
  browse the internal network

12
Backdoor cont..

• Whack-a-mole
• Installs backdoor
• Bosniffer
• Supposed to find BO, but instead installs it
• Elitewrap
• Allows creation of backdoors
• Social engineering helps to comfort people to
  install these Trojans
• Windows dlls are an excellent place to put
  backdoor codes

13
SSH

• Vulnerabilities
• Version one vulnerabilities in which a session
  key could be obtained
• Newer versions fixed this problem
• Man in the middle attacks still work for ssh
• Middle man negotiates the keys for each side and
  is transparent to the users
• Must set up ssh right so that if a new public key
  is introduced into the system you dont except it
• If attacker is running man in the middle the
  first time a user connects to a server is the
  best possible situation for the attacker

14
Rootkit

• Replaces tools needed to trace down attackers
• Most time sys admins reinstall or revert to
  backup when a root kit has been detected
• Tripwire can help to detect it, but doesnt stop
  it
• Attackers can change tripwire files so that it
  doesnt detect changes the rootkit made

15
Next Time

• Intrusion detection

16
Questions